Only permit users to install from a specified app whitelist?

Marc H.

My apologies for the noob question. I am tasked with detection, enforcement, and validation that deployed devices only have approved applications installed. The MDM were using is MobileIron, which from my limited involvement seems fine to detected after an app is installed. I was looking for a solution similar to OTG that locksdown the device to only permit installs from an internal appstore that has approved applications.

Is there a solution that appstore requests only go to our internal appstore, not the official Apple appstore?

jesselvella

Aaron is correct that you could just install the necessary apps and then just deploy a profile to disable the App Store, I've been working with an MDM vendor called Airwatch that does exactly what you're looking for. So they have their own App Store in a way that you can deploy only particular apps to. So you'll disable the native Apple App Store and deploy the Airwatch App Store. Users can only see apps you approve. There is a work around however in that the App Store NEEDS to be re-enabled for a short time in the background to the download the app. So users could potentially multitask to the App Store and grab another app. The nice thing about Airwatch is that you can set a compliance policy to tell the admin that a blacklisted app has been installed. Beyond that you can do what Airwatch calls "death by notification" and basically warn the user every few seconds or minutes to remove the app since they are out of compliance, thus almost annoying them to remove the app they installed. If all else fails you can deploy policies to furthur restrict that users so then will comply to your policy.

vpogrebi

I am researching the way for MDM server to implement iOS app white- black-listing - for public (iTunes App Store) apps. In other words - how can MDM server allow device holder to install certain apps from App Store (white-listed apps), while preventing from installing other (black-listed) apps? This question is different from question (and answer) above - in that instead of Mobile Device Admin initiating app distribution, we want give the end user (device holder) ability to install certain apps (while keeping "app install" restriction in place)?

A slightly different question is - how can Mobile Device Admin (MDM administrator) selectively add public (iTunes App Store) apps to an "Enterprise App Store", thus making those apps available for download/install by device holders? Many sources say that white-listing can be implemented by adding apps to an "Enterprise App Store" - but *how exactly* can this be done for public apps (apps that can be distributed via iTunes - but not downloaded as distribution packages)?

- Val

jesselvella

I actually think all of your questions are answered by the above answer. AirWatch removes the Apple Store and adds their own. Within the AirWatch App Store you can add only the apps you want thus creating a "white list" and all other apps are on a black list. If you need a more detailed description or if my answer isn't what you're looking for please let know.

Thanks!
Jesse

Uroshnor

- App Store (one of public, VPP or B2B). This requires an iTunes Store account on the device. Permission to install App Store Apps can be removed by MDM, and permission to delete Apps can be removed by MDM on supervised devices. If you allow user-installed apps, your MDM can maintain a white list or a blacklist as whatever the MDM vendor feels appropriate, and take whatever action or sanction you deem appropriate if a user deviates from what is approved. MDM can keep the restriction in place most of the time, and turn it off only for when it wants Apps to be installed on the device.

- Developer deployment, this is only possible on devices registered as development devices that are part of the team that code signed the App, and is fine for beta testing, and development, but thats about it. These Apps do not require an active iTunes Store account on the device to install or run.

- Enterprise deployment. These Apps are signed by an iOS Developer Enterprise Program code signing certificate, and do not require an iTunes store account on the device.

Note that if you are using MDM to control App Store Apps, then you need to decide how you want to manage iTunes Store accounts. Apple's model is the user's just use their own, and you don't need to care, but not all users will have an iTunes Store account, so you need to decide as to if the users will self create accounts not attached to a credit card, OR you want to create them for them (this is a non-trivial task, and really only makes sense if you want to use iMessage and FaceTime linked to "work" email addresses).

These things really combine to give you 4 or 5 tiers of "whitelisting" depending on what level of control you want to exercise :

1. The lowest tier is the MDM maintains a black list and activates warnings or sanctions if users violate the blacklist. These can range from push notifications or emails warning the user of the need to remove the offending App, to escalating to the user's supervisor, to an "enterprise wipe" of corporate information, to unenrolment from MDM, (unlikely) a total device wipe.

2. The next tier is simply that the MDM provides a UI linking to "recommended" or "approved" Apps for the user to self installs, essentially so they don't need search the App store to find them. This is useful in so far as it minimised the user installing the wrong version of the App (e.g. the App vendor has different versions for different markets / languages *sigh* ), or fake versions of Apps (this is virtually non-existent on Apple's App Store, but is prevalent on Google Play).

3. The next tier up in control still has the user self installing from a pick list provided by the MDM, but instead of just a black list, it is maintained as a white list - i.e. if you install anything other than the list, you are subject to sanctions on an escalating scale as per the description in the lowest tier. This is basically what Air-watch does.

4. Up from that, the user ability to self install Apps is removed, but the user still has a list of "approved" apps they can self install, however, they are installed via MDM. In this case the UI provided to the user is a pick list, but the MDM initiates the actual removal of restrictions, manages the licensing and sends the download command to the device. The MDM vendor needs to specifically implement this behaviour, and not many do at the moment.

5. In the most restrictive case, the user has no say in which Apps are installed, the MDM simply pushes everything they are allowed/required to use to the device, and manages all licences, restrictions and Enterprise Apps.

The blacklisting can be combined with any of the other tiers. Note also that the user ability to remove Apps can be restricted, but requires a device to be supervised. Typically you'd bring this in to play at the last two tiers described above. BYOD and COPE use cases usually mean you are in tier 1-3, with the upper 2 being reserved for the most restrictive/secure environments.

The only way to have a "pure" whitelist, without ever having a window where the user can install stuff, is supervise the devices, prevent pairing over USB, only deploy Enterprise in-house Apps, and prevent the user from installing or deleting Apps. This is too restrictive for most use-cases, but is common in moderate to high security government scenarios.

An "Enterprise App Store" is typically either :

- a Web site with links to the public App Store, and the manifests and App bundles for Enterprise Apps (with the appropriate MIME types set on the web site).

and/or

- a client side App or web clip that presents the UI to the user.

Usually this web server will be integrated with the MDM, and the user doesn't necessarily authenticate independently. Note that "Enterprise App Store" never stores any Apple App Store Apps, it merely links to them. The only Apps that it really "stores" are ones being delivered via Enterprise Deployment.

The OP should really just have a chat with their MDM provider, MoblieIron, to clarify exactly what they want to do. I'm not saying Air-watch is bad or wrong - in many ways its one of the best MDM's out there.

Uroshnor - thanks, your response is helpful, and it is "in line" with my current understanding of black- white-listing. But I still have some "grey"areas that I do not understand 100%...

From your response (Uroshnor) - levels #1 and #3 are essentially the same (in that device holder has ability/freedom to install App Store apps, and MDM server just "watches" it by maintaining a list of either permitted or prohibited apps and performs admin "sanctions" when disallowed app is installed). This is "passive" MAM ...

Level #2 is also "passive" MAM - in that device holder still has "app install" rights, and MDM server just "watches" what's been installed on the device. The difference between #2 and #1/#3 - is that in this case MDM maintain its own "App Store" repository and presents users with the GUI to access that "App Store" (repository of "prepared" white-listed apps).

Levels #4 and #5 - are "active" MAM, where device holder does not have "app install" rights, and installs are initiated by MDM server instead.

I perfectly understand these different methods/levels (in my case, I am interested in implementing a combination of #4 and #5, but might also consider #2) ...

What I *do not understand* - is this... Both #4 and #5 (as well as #2) are based on MDM Administrator (Device Admin) maintaining its own "App Store" (repository of white-listed apps) from which either the user can initiate app install (which is carried out by MDM server push), or device admin pushes app install to the devices. So... there is is this collection (repository) of apps that device admin creates. My question is (hope you can help me understand this particular aspect): HOW EXACTLY PUBLIC APP (app maintained by the vendor on iTunes Store) CAN BE ADDED TO YOUR OWN "APP STORE" ?

I mean... to "add" app to your own App Store, you need to have app's distribution archive (.ipa in case iOS, .apk - in case of Android). In case of levels #4 and #5 (where apps are being "pushed" by MDM server) - you not only have to have app archive, but you must also sign that archive by your own distribution certificate and include your own provisioning profile within that archive, and create manifest file that will be used to push app to devices.

So... how exactly can this be done for PUBLIC apps (apps from iTunes App Store)? How can you take public apps and make them available via your own "App Store" ?

Please help me understand this...

- Val

Uroshnor

The "Enterprise App Store" only contains the actual binaries for enterprise (or development) Apps. Any App store Apps are merely pointed to - in the simplest case these are just cut and paste of the direct iTunes URL - even when doing managed distribution, the MDM is managing the "licences" not the actual App - the App still comes directly from the App Store.

So you aren't storing those binaries, you are merely referencing a location on the public app store in some way. That is "Enterprise App Stores" do not store public App Store App binaries (at least on iOS), they only hold a reference to the Apple App Store.

If I wasn't clear, that means you can't use the App Store in the most restrictive approaches, its Enterprise Only (as because App Store Apps come from the App Store, you have to enable it, albeit temporarily)

Some explanations of how to do OTA distribution of Enterprise and Ad-Hoc deployment are here :

What some of the vendors do is provide EVERYTHING as links in the version the user browses, and the MDM then sends commands to the device to download what was described in those links (from their real locations).

Note that whilst it is technically feasible (using a jailbroken device) to re-wrap an App Store App with an Enterprise certificate, and host the new binary internally, my reading of the agreements is that it violates both the iTunes Store agreement and the Developer Agreement to do so. There is a very fine line between doing this and piracy (as at that point, no-one is being compensated for the App). Its trivial to do this on Android as well, but you can do it with an emulator, you don't even need a device.

Typcially with MDM, in its management console, you just drop in the links to the App Store Apps you want it to preset, and then upload the Enterprise or Ad-Hoc Apps through different UI in the management console. Most MDM vendors will be able to tailor what the user is presented with based on user identifier or role or something similar, so it isn't one size fits all.

Note also that on iOS, Apps are always "pulled" to the device, its just that when a device is under MDM, there is a command sent by MDM , to tell the device to pull a specific App down.

In practice, I don't believe it matters much - the search for absolutes is a waste of effort in most cases , and you can deliver a 95% solution by leveraging the App store, and also actively monitoring devices and taking action for exceptions.

vpogrebi

Your answers are extremely helpful! I had somewhat similar understanding before, but you greatly clarified what I was not fully sure of. I just wish iOS documentation would explain such things so developers (MDM developers) spend less time researching and more - doing.

Eddie_Fade

There's no white-listing of apps. However, you can punish those who install apps you don't want them to.

For example, setup an internal app store (actually links to the iTunes App Store) using an MDM like Casper, Airwatch, etc ... then tell the users that they should only install apps from there.
Next, create a Smart Group with a filter for devices that has "Unauthorized Apps", apply annoying restrictions to these devices, like blocking App Store and any other restrictions. Then put a web clip that says "Unwanted Apps Installed" which will take them to a warning page telling them to remove the unauthorized apps to remove restrictions.

This way they will learn to comply or be punished.

obviously they can simply remove the whole MDM profile, but then they should loose access to all enterprise services (Wifi, email, .... ).

EDIT: there's an MDM called iBoss that integrates with your network to apply network rules based on apps installed. Therefore limit their access to internet if they have unwanted apps